12.13 Nginx防盗链 12.14 Nginx访问控制12.15 Nginx解析php相关配置12.16 Nginx代理

最新推荐文章于 2024-03-05 16:01:45 发布

weixin_33738555

最新推荐文章于 2024-03-05 16:01:45 发布

阅读量329

点赞数

CC 4.0 BY-SA版权

原文链接：https://my.oschina.net/nova12315/blog/1784796

2019独角兽企业重金招聘Python工程师标准>>>

12.13 Nginx防盗链

这部分配置需要和不记录日志和过期时间结合在一起，因为都用到了“location”

location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
    expires 7d;
    valid_referers none blocked server_names  *.test.com ;   //定义一个白名单
    if ($invalid_referer) {                                        //如果不是白名单里的
        return 403;                                                   //返回403
    }
    access_log off;
}

~* 表示不区分大小写

[root@aminglinux-02 ~]# curl -e "http://www.baidu.com/1.html" -x127.0.0.1:80 test.com/1.gif -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Mon, 14 Aug 2017 15:34:55 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

[root@aminglinux-02 ~]# curl -e "http://www.test.com/1.html" -x127.0.0.1:80 test.com/1.gif -I
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Mon, 14 Aug 2017 15:35:20 GMT
Content-Type: image/gif
Content-Length: 66
Last-Modified: Fri, 11 Aug 2017 17:51:27 GMT
Connection: keep-alive
ETag: "598dee9f-42"
Expires: Mon, 21 Aug 2017 15:35:20 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes

使用www.baidu.com的referer访问，是403；更换为www.test.com，访问就200，便是防盗链设置成功

12.14 Nginx访问控制

针对目录

location /admin/
    {
          allow 192.168.133.1;      //白名单
          allow 127.0.0.1;             //白名单
          deny all;                       //全部deny
    }

执行顺序，是逐行匹配；匹配成功第一条，将不继续进行之后的匹配

[root@aminglinux-02 ~]# curl -x127.0.0.1:80 test.com/admin/1.php -I
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Mon, 14 Aug 2017 15:54:51 GMT
Content-Type: application/octet-stream
Content-Length: 11
Last-Modified: Mon, 14 Aug 2017 15:54:48 GMT
Connection: keep-alive
ETag: "5991c7c8-b"
Accept-Ranges: bytes

[root@aminglinux-02 ~]# curl -x127.0.0.2:80 test.com/admin/1.php -I
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Mon, 14 Aug 2017 15:54:57 GMT
Content-Type: application/octet-stream
Content-Length: 11
Last-Modified: Mon, 14 Aug 2017 15:54:48 GMT
Connection: keep-alive
ETag: "5991c7c8-b"
Accept-Ranges: bytes

[root@aminglinux-02 ~]# cat /tmp/test.com.log
127.0.0.1 - [12/Aug/2017:01:48:01 +0800] test.com "/" 200 "-" "curl/7.29.0"
127.0.0.1 - [12/Aug/2017:01:50:13 +0800] test.com "/2.jsfsdfe" 404 "-" "curl/7.29.0"
127.0.0.1 - [14/Aug/2017:23:47:09 +0800] test.com "/admin" 301 "-" "curl/7.29.0"
127.0.0.1 - [14/Aug/2017:23:51:10 +0800] test.com "/admin" 301 "-" "curl/7.29.0"
127.0.0.1 - [14/Aug/2017:23:51:26 +0800] test.com "/admin" 301 "-" "curl/7.29.0"
127.0.0.1 - [14/Aug/2017:23:52:59 +0800] test.com "/admin" 301 "-" "curl/7.29.0"
127.0.0.1 - [14/Aug/2017:23:53:08 +0800] test.com "/admin/1.php" 404 "-" "curl/7.29.0"
127.0.0.1 - [14/Aug/2017:23:54:51 +0800] test.com "/admin/1.php" 200 "-" "curl/7.29.0"
127.0.0.1 - [14/Aug/2017:23:54:57 +0800] test.com "/admin/1.php" 200 "-" "curl/7.29.0"

因为跳转的地址都127.0.0.1，所以访问是正常的

为了准确测试，对ens34网卡新增一个IP使用这个IP访问，查看curl情况

[root@aminglinux-02 ~]# dhclient ens34
[root@aminglinux-02 ~]# ifconfig
ens32: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.133.131  netmask 255.255.255.0  broadcast 192.168.133.255
        inet6 fe80::6e6a:61ff:f17c:5942  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:c4:13:b8  txqueuelen 1000  (Ethernet)
        RX packets 19843  bytes 1420313 (1.3 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4417  bytes 559642 (546.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens34: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.161.128  netmask 255.255.255.0  broadcast 192.168.161.255
        inet6 fe80::44fe:e11f:f99c:4de1  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:c4:13:c2  txqueuelen 1000  (Ethernet)
        RX packets 6  bytes 1490 (1.4 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3412  bytes 606434 (592.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 174  bytes 14813 (14.4 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 174  bytes 14813 (14.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@aminglinux-02 ~]# curl -x192.168.161.128:80 test.com/admin/1.php -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Mon, 14 Aug 2017 15:59:23 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

证明配置成功，非第一和第二条的IP访问，无法打开

针对指定URL

location ~ .*(upload|image)/.*\.php$
{
        deny all;
}

为了方便测试，创建所需文件和目录

[root@aminglinux-02 ~]# mkdir /data/wwwroot/test.com/upload
[root@aminglinux-02 ~]# cd !$
cd /data/wwwroot/test.com/upload
[root@aminglinux-02 upload]# vim 1.php
[root@aminglinux-02 upload]# vim 1.jpg
[root@aminglinux-02 test.com]# curl -x127.0.0.1:80 test.com/upload/1.php
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.12.1</center>
</body>
</html>

[root@aminglinux-02 test.com]# curl -x127.0.0.1:80 test.com/upload/1.jpg
1.jpg

1.jpg
1.jpg
1.jpg
1.jpg
1.jpg

针对user_agent限制

if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
    {
          return 403;
    }

return 403和deny all 效果是一样的

测试

[root@aminglinux-02 test.com]# curl -A "Tomato" -x127.0.0.1:80 test.com/index.html -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Mon, 14 Aug 2017 16:23:57 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

因为配置是严格匹配

[root@aminglinux-02 test.com]# curl -A "tomato" -x127.0.0.1:80 test.com/index.html -I
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Mon, 14 Aug 2017 16:24:04 GMT
Content-Type: text/html
Content-Length: 9
Last-Modified: Thu, 10 Aug 2017 17:35:22 GMT
Connection: keep-alive
ETag: "598c995a-9"
Accept-Ranges: bytes

更改为不区分大小写
更改前

if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')

更改后

if ($http_user_agent ~* 'Spider/3.0|YoudaoBot|Tomato')

测试

[root@aminglinux-02 test.com]# curl -A "tomato" -x127.0.0.1:80 test.com/index.html -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Mon, 14 Aug 2017 16:26:25 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

[root@aminglinux-02 test.com]# curl -A "Tomato" -x127.0.0.1:80 test.com/index.html -I
HTTP/1.1 403 Forbidden
Server: nginx/1.12.1
Date: Mon, 14 Aug 2017 16:26:34 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

12.15 Nginx解析php相关配置

解析PHP

创建phpinfo文件

[root@aminglinux-02 test.com]# pwd
/data/wwwroot/test.com
[root@aminglinux-02 test.com]# vim 3.php
[root@aminglinux-02 test.com]# cat 3.php
<?php
phpinfo ();

查看系统是否能解析php

[root@aminglinux-02 test.com]# curl -x127.0.0.1:80 test.com/3.php
<?php
phpinfo ();

直线显示源代码，不能解析

修改配置

[root@aminglinux-02 test.com]# !vim
vim /usr/local/nginx/conf/vhost/test.com.conf

location ~ \.php$
    {
        include fastcgi_params;
        fastcgi_pass unix:/tmp/php-fcgi.sock;   //写错这个路径，就会显示502
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;  // /data/wwwroot/这个路径对应的是 配置文件里面设置的 root 对应路径
    }

配置完成后检查语法和重新加载服务

-t && -s reload

案例：

一、

sock写错导致访问页面出现502

[root@aminglinux-02 test.com]# curl -x127.0.0.1:80 test.com/3.php
<html>
<head><title>502 Bad Gateway</title></head>
<body bgcolor="white">
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx/1.12.1</center>
</body>
</html>

1、查看nginx的错误日志

如果不清楚错误日志的路径，可以在配置nginx.conf查看

[root@aminglinux-02 test.com]# cat /usr/local/nginx/logs/nginx_error.log
2017/08/15 00:41:29 [crit] 5987#0: *26 connect() to unix:/tmp/php-fci.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: test.com, request: "GET HTTP://test.com/3.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-fci.sock:", host: "test.com"

2、根据这句语句No such file or directory 可以了解到“ 没有这样的文件或目录”，可以尝试查找看看php-fci.sock这个文件

[root@aminglinux-02 test.com]# ls /tmp/php-fci.sock
ls: 无法访问/tmp/php-fci.sock: 没有那个文件或目录

3、结果还是没有文件或者目录，这就需要查看一下，配置的地址是否正确

[root@aminglinux-02 test.com]# cat /usr/local/php-fpm/etc/php-fpm.conf
[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www]
listen = /tmp/php-fcgi.sock    //查看这一段，定义的文件和缺少的文件是否一样
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024

对比过后发现文件名出错，这时在去看nginx下的conf配置是否正确
发现就是虚拟主机配置文件出错，修改回正确的sock名字就恢复正常

fastcgi_pass unix:/tmp/php-fcgi.sock;

PS：
PHP下的listen = /tmp/php-fcgi.sock这段配置很重要，决定了nginx是否能正确解析而不是502\

当PHP配置文件 listen 使用sock时，那么对应的nginx配置文件下就必须使用 fastcgi_pass unix:/tmp/php-fcgi.sock；
当PHP配置文件listen 使用 IP加端口“127.0.0.1：9000”的时候，那么对应的nginx就要改成fastcgi_pass 127.0.0.1：9000；

二、

php配置文件下的 listen.mode = 666 这一项如果不做定义，默认用的是660，使用默认的权限，将会影响nginx访问产生502

[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www]
listen = /tmp/php-fcgi.sock
# listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
[root@aminglinux-02 test.com]# /etc/init.d/php-fpm restart
Gracefully shutting down php-fpm . done
Starting php-fpm  done

因为nginx默认访问php服务的用户的nobody，而且660权限,因为文件所属主、组是root，只能root用户访问，nobody用户去调用 sock的时候，将出现错误，最终返回502

[root@aminglinux-02 test.com]# !ls
ls -lhtr /tmp/php-fcgi.sock
srw-rw---- 1 root root 0 8月  15 01:28 /tmp/php-fcgi.sock
[root@aminglinux-02 test.com]# !curl
curl -x127.0.0.1:80 test.com/3.php
<html>
<head><title>502 Bad Gateway</title></head>
<body bgcolor="white">
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx/1.12.1</center>
</body>
</html>

所以在配置php-fpm的时候，默认将listen.mode = 设置为666，为的就是让所有用户都可以访问和读

三、

php-fpm 资源耗尽的时候，也会502

12.16 Nginx代理

需求：
用户需要访问web服务器，但用户因为各种原因没办法访问或者访问很慢（私网无访问、境内访问国外服务器），所以，就需要一个能访问web服务器的代理者，让用户通过代理服务器访问

解决办法
创建代理服务器

[root@aminglinux-02 test.com]# cd /usr/local/nginx/conf/vhost
[root@aminglinux-02 vhost]# pwd
/usr/local/nginx/conf/vhost
[root@aminglinux-02 vhost]# vim proxy.conf  //加入以下内容
server
{
    listen 80;
    server_name ask.apelearn.com;                       //定义域名
    location /
    {
        proxy_pass      http://121.201.9.155/;         //定义域名
        proxy_set_header Host   $host;                   //定义访问的域名 为 $host =server_name ask.apelearn.com
        proxy_set_header X-Real-IP      $remote_addr; 
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

代理服务器配置，没有root，因为是代理服务器，所以不需要访问本地服务器上的任务文件

配置完成后检查语法和重新加载服务

-t && -s reload

[root@aminglinux-02 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@aminglinux-02 vhost]# /usr/local/nginx/sbin/nginx -s reload

测试

[root@aminglinux-02 vhost]# curl -x127.0.0.1:80 ask.apelearn.com/robots.txt
#
# robots.txt for MiWen
#

User-agent: *

Disallow: /?/admin/
Disallow: /?/people/
Disallow: /?/question/
Disallow: /account/
Disallow: /app/
Disallow: /cache/
Disallow: /install/
Disallow: /models/
Disallow: /crond/run/
Disallow: /search/
Disallow: /static/
Disallow: /setting/
Disallow: /system/
Disallow: /tmp/
Disallow: /themes/
Disallow: /uploads/
Disallow: /url-*
Disallow: /views/
Disallow: /*/ajax/[root@aminglinux-02 vhost]#

成功连上

转载于:https://my.oschina.net/nova12315/blog/1784796